Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve OAuth csrf token with "Signed Double-Submit Cookie" #37560

Open
zhaohuabing opened this issue Dec 8, 2024 · 0 comments · May be fixed by #37646
Open

Improve OAuth csrf token with "Signed Double-Submit Cookie" #37560

zhaohuabing opened this issue Dec 8, 2024 · 0 comments · May be fixed by #37646
Labels
area/oauth enhancement Feature requests. Not bugs or questions.

Comments

@zhaohuabing
Copy link
Member

zhaohuabing commented Dec 8, 2024

The current CSRT token in the OAuth2 filter state is a random string. This can be improved by signing the random string with the HMAC secret, adding protection agains CSRF token forgery.

Originally commented by @denniskniep

#36276 (comment)

Double-Submit Cookie Pattern is discouraged from OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#naive-double-submit-cookie-pattern-discouraged

From my point of view we can look into that later, if we even want to mitigate those threats. I am not sure which risks are accepted by envoy. But those mentioned from OWASP assume that the attacker can access envoys cookies via subdomain-takeover, subdomain-xss or ManInTheMiddle.

@zhaohuabing zhaohuabing added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Dec 8, 2024
@wbpcode wbpcode added area/oauth and removed triage Issue requires triage labels Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oauth enhancement Feature requests. Not bugs or questions.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants